Controllerless Networks

last person joined: 2 days ago 

Aruba Instant Wi-Fi: Meet the controllerless Wi-Fi solution that's easy to set-up, is loaded with security and smarts, and won't break your budget.
Expand all | Collapse all

How to set the access rule for networks so that it can only talk to the internet and just a few local IP's

This thread has been viewed 36 times
  • 1.  How to set the access rule for networks so that it can only talk to the internet and just a few local IP's

    Posted Sep 03, 2021 12:32 PM

    hi All,

    I"m working on an instant IP config where  my local subnet is 192.168.1.254 / 255.255.248.0
    DHCP on 192.168.2.1-7.250 

    DHCP, Gateway & DNS : 192.168.1.254

    What I would like to do is allow all the DHCP clients to get to the internet and talk to a few IP's like 192.168.1.249.-254. like 192.168.1.254/255.255.255.248.0

    If setup this rule in instant then I got to networks>Access & change to access rules > network based but then I'm a bit stuck as I did try to exclude the lower IP range below 192.168.1.249 but that doesn't work as I'm then nog even getting an DHCP any longer :( 

    I did try as example to exclude IP access to IP's like below 1.126 by using: Deny any to network 192.168.1.0/255.255.255.128 and then followed by allow all destinations but still I get no DHCP even any longer..

    Would somebody has any practical suggestion how to achieve this?



    ------------------------------
    Jeroen Kleen
    ------------------------------


  • 2.  RE: How to set the access rule for networks so that it can only talk to the internet and just a few local IP's

    Posted Sep 05, 2021 05:30 PM
      |   view attached

    Original Message:
    Sent: Sep 02, 2021 10:10 AM
    From: Jeroen Kleen
    Subject: How to set the access rule for networks so that it can only talk to the internet and just a few local IP's

    hi All,

    I"m working on an instant IP config where  my local subnet is 192.168.1.254 / 255.255.248.0
    DHCP on 192.168.2.1-7.250 

    DHCP, Gateway & DNS : 192.168.1.254

    What I would like to do is allow all the DHCP clients to get to the internet and talk to a few IP's like 192.168.1.249.-254. like 192.168.1.254/255.255.255.248.0

    If setup this rule in instant then I got to networks>Access & change to access rules > network based but then I'm a bit stuck as I did try to exclude the lower IP range below 192.168.1.249 but that doesn't work as I'm then nog even getting an DHCP any longer :( 

    I did try as example to exclude IP access to IP's like below 1.126 by using: Deny any to network 192.168.1.0/255.255.255.128 and then followed by allow all destinations but still I get no DHCP even any longer..

    Would somebody has any practical suggestion how to achieve this?



    ------------------------------
    Jeroen Kleen
    ------------------------------


  • 3.  RE: How to set the access rule for networks so that it can only talk to the internet and just a few local IP's

    Posted Sep 15, 2021 08:29 AM

    I suggest using the settings below (only for DHCP and DNS):

    For the rest you can add the few ip's you want to allow above the deny rules.


    ------------------
    Arjan Ploeg
    ------------------



    ------------------------------
    Arjan Ploeg
    ------------------------------



  • 4.  RE: How to set the access rule for networks so that it can only talk to the internet and just a few local IP's

    Posted Sep 07, 2021 10:14 AM
    I know I'm a bit old-school, but when it comes to access rules I tend to go to the CLI.
    First thing to be aware of is that when a device is trying to get an IP via DHCP, it uses the placeholder IP of 0.0.0.0 since it doesn't have an IP yet - so you need to let that through. Something that might match what you're looking for:

    wlan access-rule placeholder
    index 0
    rule any any match udp 67 69 permit
    rule 192.168.1.0 255.255.255.0 match any any permit
    rule 192.168.0.0 255.255.0.0 match any any deny
    rule any any match any any any permit

    The first rule allows DHCP.
    Second allows access to one particular network in 192.168.x.x
    Third denies all other networks in 192.168.x.x
    Last allows access to everything else, ie to the Internet & external.

    ------------------------------
    Andrew Rutherford
    ------------------------------



  • 5.  RE: How to set the access rule for networks so that it can only talk to the internet and just a few local IP's

    Posted Sep 10, 2021 01:16 AM
    Didn't see your screenshot the first time. The problem is you're limiting DHCP to only the server's address, but the device requesting DHCP doesn't know anything about the network when it makes the initial request, so the target IP is 0.0.0.0 - so the DHCP request is blocked, the device doesn't get an IP, and nothing works from there.
    Easiest is to blanket-allow anything to DHCP ports, then block DHCP ports outbound on your external firewall so someone doesn't try to hide a VPN inside DHCP ports  - and yes, I've seen this done. :-(

    ------------------------------
    Andrew Rutherford
    ------------------------------